Privacy notice for current students

Introduction

We could not exercise our responsibilities and fulfil our education, training and support obligations to you without collecting, holding and using your personal data. This guide explains what we do with your personal information and why. When you use specific University services, like our careers service, we will give you further information at that time.

This page provides information on:

Who the Data Controller is

Why we collect and use your personal data

Who your information may be shared with and why?

International data transfers?

Automated decision making

How long we keep your personal data?

Who is the Data Controller

Heriot-Watt University is the Data Controller for personal data we hold about you. Where we use the term ‘our University’, this includes all members of the Heriot-Watt University Group. We hold your personal data securely and restrict access to personal information to people who need to use it in the course of their duties. When collecting and processing information about you, we must comply with the UK Data Protection Act, 2018, the European Union General Data Protection Regulations and other privacy laws, such as the Malaysia Personal Data Protection Act, 2010, that apply in the countries in which the University operates. Heriot-Watt University Student Union is a data controller in its own right. You can read the Student Union Privacy Policy.

What personal information we collect and use

We collect and hold personal information in all formats for the purposes set out in this guide:

Personal and family details

Lifestyle and social circumstances

Education and student records

Relevant employment details

Financial information

Disciplinary and attendence records

Goods and services provided

Visual images, personal appearance and behaviour

Where this is necessary to meet a legal obligation, or with your consent, we may also process sensitive information, also know as special categories of data, which may include:

Racial or ethnic origin

Trades Union membership

Religious or other similar beliefs

Physical or mental health details

Sexual life

Offences and alleged offences

Criminal proceedings, outcomes and sentences

Why we collect and use your personal data

For academic purposes: to provide you with teaching, learning and support services, assess your work, record your progress and confer awards

What's our legal basis?

For most of these activities the University Charter and Statutes gives us legal authority to process your personal data where this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University as Data Controller;

If you use optional free services like careers advice you can opt into these and withdraw your consent to them at any time.

To give you access to student support, accommodation, IT, library, careers, mentoring, social, sport, catering, archive, on-line course materials and forums, and other services to the University community

Deal with appeals, complaints and disciplinary matters promptly and fairly

Provide academic guidance and enable you to communicate with staff, your student representative and fellow students on your programme of study

Seek your feedback on our programmes and facilities

For administrative and financial management purposes: to administer fees and paid-for services

What's our legal basis? If you pay fees or use paid for services like accommodation, catering and sports and exercise services we need to process your data to fulfil a contract you have entered into with us.

These may include:

Fees and payments

Accommodation services

Graphics and printing services

Catering services

Club and facility memberships

Disciplinary fines

To meet our duty of care to you and our legal obligations

What's our legal basis?

Comply with a legal obligation

Protect vital interests in an emergency

Exercise or defend legal claims or comply with court judgements

Provide medical and health services

Protect public health

Where this is necessary:

To meet our legal duty of care to you under health and safety and safeguarding laws

To comply with a statutory obligation, for example under tax or immigration law

To meet our obligations under equality law. Under the UK Equality Act 2010, we need to collect sensitive personal data about our applicants and students on UK campuses to assist with monitoring equality of opportunity and eliminating unlawful discrimination. We hold this information in strictest confidence and only disclose it, again in confidence, to bodies with a statutory duty to collect it, like the Higher Education Statistics Agency (HESA). You can choose whether you want to provide information for this purpose. If a student or applicant declares that they have a disability, we have a duty to disclose this information on a need-to-know basis to staff to ensure that reasonable adjustments are made, enabling disabled students to meet their full academic potential

For public safety and the prevention and detection of crime

What's our legal basis?

Where this is necessary for the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against and the prevention of threats to public security

Processing for these purposes includes:

Use of CCTV systems to monitor and collect visual images

Monitoring use of IT facilities

Applying security, welfare and other procedural measures where necessary for the safety and security of students and the wider University community under health and safety and other relevant laws

To promote the University Group

What's our legal basis?

Where we have your consent

Where necessary for archiving purposes in the public interest

We may take photographs, and other images and recordings of students for possible use in our publicity and promotional material in print and online on our websites and social media. We always inform people when filming and will only feature you in such promotional material with your consent. We keep copies of promotional material in the University Archive as a record of University life down the years.

For alumni engagement

What's our legal basis?

For alumni engagement, processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller

For marketing and fundraising, only where we have your consent

Where necessary for archiving purposes in the public interest

Our University Charter and Statutes give us a positive duty to engage with our alumni and enable them to exercise their rights to be members of our graduates' association, the Watt Club. We will send electronic communications for marketing and fundraising purposes to alumni only with their individual consent. You can read more about the privacy notice for alumni. We keep records of Watt Club activities in the University Archive as a record of University life down the years.

For archiving and research

What's our legal basis?

Where this is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

While always protecting your rights to privacy we will:

Keep a permanent archival record of your time studying with us

Retain copies of promotional material and other records of University community life that may include images and other data about students and alumni

Support academic research under strict confidentiality

Produce management and statistical information to monitor and improve our performance and our services to you and inform strategic planning, e.g. for recruitment

Who your information may be shared with and why

We may publish or share your personal data only where we have your consent or where one of the following conditions are met.

We may appoint people and organisations to work for us and contract with them to act as data processors on our behalf for any of the above purposes. Examples include training, setting and administering examinations, payment and debt collection services, plagiarism detection systems, provision of email and other IT services, e-book platform providers, hosting communications services, IT systems maintenance, safety and incident management systems.

We will also disclose limited personal data where this is necessary for the following reasons:

For academic purposes:

With a partner institution to deliver a programme collaboratively or jointly between the University and the partner institution. For example, an Approved Learning Partner (ALP)

With our external examiners: to check that our assessment of your work is fair

For official independant assessment of our programmes, for example by the QAA

Publicise your award in our graduation programme and in the list of awards we provide in press releases to news media and your previous school or college. You have the right to opt out of this

Enable you to participate in the National Student Survey, the International Student Barometer or other official surveys that give us your feedback on our academic quality and your student experience

If you have taken part in the Lothians Equal Access Programme for Schools (LEAPS), which provides advice and support to help eligible students to enter higher education, we may share limited information with LEAPS about your progress and outcome of your studies, in order to improve the LEAPS service for future participants.

To meet our legal obligations to you and other organisation

We will:

Help the emergency services (fire, police, ambulance) or a health professional to protect your vital interests or someone else’s, for example in a medical emergency

Disclose the contact details of UK campus students who may be eligible to vote to the Electoral Registration Office, in order to contact them to encourage them to register to vote

Provide information to local councils for exemption of Council Tax (if you are in the UK)

Comply with immigration laws. This involves disclosure and data sharing with UK Visas and Immigration; about applicants and students to UK campuses who are subject to immigration law and about students and applicants to our Dubai and Malaysia campuses to the relevant government authorities

Provide limited information necessary to an organisation with a statutory function, such as the police, where this is necessary for law enforcement

International data transfers

As a global organisation we need to process your personal information in a country other than the one you are studying in, when this is necessary to provide you with academic and support services, meet a legal obligation, fulfil a contract with you, or we have your consent. For example if you apply to Go Global or another exchange programme, staff at the campus or institution you are applying to will need to process your data. If you are studying on our Dubai or Malaysia campus, with one of our international partners or by Independent Distance Learning, staff at our UK campuses will need to process your data to administer your studies.

When doing so, we will:

Make sure that appropriate safeguards are in place to protect your information and your rights under privacy law

Apply the same high standards of privacy and security wherever we process your data

Automated decision making

We do not take any decisions about you that would affect your studies based solely on automated processing or profiling.

How long we keep your personal data

We keep information about you only for as long as needed to provide you with academic and support services and meet our legal obligations and rights. Almost all your personal data is destroyed securely 6 years after you leave the University. We keep a limited permanent record of your attendance, what you studied and your award so that we can verify this as needed and for archival purposes. If you stay in touch with us as a member of the Watt Club, our alumni association, we will keep your contact details and other information that you share with us up to date. More information about how long we keep your personal data and why is here.

Your rights

You have the right to:

Find out what personal data we process about you and obtain a copy of the data, free of charge within one month of your request. We may make a charge for additional copies of the same information